Cosmin Prund
2006-Feb-05 13:38 UTC
[Asterisk-Users] (newby) Asterisk on the open internet & security
Hello everyone. I'm again bothering you with a bit of a problem, hopefully not really a problem. I just need someone to tell me this is ok :-) I'm planning on having two * machines on the open internet (ie: not behind a NAT) and having them talk to each other using IAX2. I can handle all the fire walling requirements in this case easy because at least one of the *'s has a fixed address and I'll be able to filter traffic on IP. It's all fine and safe so far. But then it hit me: I'll also want to "log on" to my business's PBX from home, in order to gain access to some of its low-rate gateways! That will not work if my office * filters on IP! Nor would I be able to use a soft SIP phone on my laptop when I'm not at the office! So my question: Is Asterisk's built-in security enough? If ALL my sip peers have propper usernames and secrets set up and my box has only the required ports open, is it safe to run Asterisk on the open internet? Does anyone run Asterisk like that? I can allmost answer my own question: "You may safely run Asterisk like that - there are lots of VoIP services providing PSTN termination that way" but, being new to all this stuff, I'll stay on the safe side and ask. Thanks.
Michiel van Baak
2006-Feb-05 14:11 UTC
[Asterisk-Users] (newby) Asterisk on the open internet & security
On 22:38, Sun 05 Feb 06, Cosmin Prund wrote:> > Hello everyone. I'm again bothering you with a bit of a problem, hopefully > not really a problem. I just need someone to tell me this is ok :-) > > I'm planning on having two * machines on the open internet (ie: not behind a > NAT) and having them talk to each other using IAX2. I can handle all the > fire walling requirements in this case easy because at least one of the *'s > has a fixed address and I'll be able to filter traffic on IP. > > It's all fine and safe so far. But then it hit me: I'll also want to "log > on" to my business's PBX from home, in order to gain access to some of its > low-rate gateways! That will not work if my office * filters on IP! Nor > would I be able to use a soft SIP phone on my laptop when I'm not at the > office! > > So my question: > > Is Asterisk's built-in security enough? If ALL my sip peers have propper > usernames and secrets set up and my box has only the required ports open, is > it safe to run Asterisk on the open internet? Does anyone run Asterisk like > that? > > I can allmost answer my own question: "You may safely run Asterisk like that > - there are lots of VoIP services providing PSTN termination that way" but, > being new to all this stuff, I'll stay on the safe side and ask. > > Thanks.Hey, We are running asterisk on the internet, allowing sip phones at customers locations/laptops etc login and use the calls. Just make sure to disallow sip users/peers without valid user/secret in the extensions.conf (something like this in sip.conf) [general] context = sip-default (and in extensions.conf) [sip-default] exten => s,1,Hangup() If you dont trust and fear someone is sniffing your udp packets that hold user/secret, you can always setup openvpn (or whatever vpn solution) and use that to connect first and tunnel your sip traffic through it -- Michiel van Baak http://michiel.vanbaak.info michiel@vanbaak.info GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D "Why is it drug addicts and computer afficionados are both called users?"